SettingsModifier:Win 32/PossibleHostsFileHijack

  • 1
  • Question
  • Updated 6 years ago
  • Answered
My Antivirus found this threat after re-enabling it, post CE 5.0.4.319 install. Is this something to be concerned about? Did CE put this on my machine, and therefore should I tell antivirus to allow it?
Photo of Steve

Steve

  • 2 Posts
  • 0 Reply Likes

Posted 6 years ago

  • 1
Photo of Patrick Smith

Patrick Smith, Alum

  • 147 Posts
  • 21 Reply Likes
Great question! Yes, CE did it, and you should allow it. We knew it would be flagged by some security software, but the benefit to report clarity outweighed (we think/hope) the hassle of the occasional antivirus warning. Thanks for checking in on it!
Patrick
Photo of Chris

Chris

  • 12 Posts
  • 1 Reply Like
Microsoft Security Essentials flags it, so those users just go to your little (now orange) "house" and go choose "allow" it. You need to choose "show details" from UNDER the big "Clean PC" button to show exactly what MSE found. Then you can choose "allow." It was kind of obvious that it was a C/E-related issue when that was the last thing installed a minute ago, and this flagged on next restart.
C/E should have given a heads-up of a possibility of an AV warning. OR, passed on the information to the AV companies to make auto-exception in their AV definition files during beta testing.
(Edited)
Photo of Patrick Smith

Patrick Smith, Alum

  • 147 Posts
  • 21 Reply Likes
Thanks, Chris, for the explanation of how to get passed things with MSE. As for your recommendations in the second paragraph, we're working on doing those better.

We do have a caveat on the downloads page about temporarily disabling security software, but admittedly it's easily lost in the din.

Related to passing information to AV companies, we do this on a regular basis. The frequency with which such information is heeded by AV companies is quite variant, though.
  
Thanks,
Patrick
(Edited)
Photo of Steve

Steve

  • 2 Posts
  • 0 Reply Likes
Thanks so much. This gives peace of mind. Blessings to you.
Photo of Charles Hume

Charles Hume

  • 1 Post
  • 0 Reply Likes
I am horrified to find this issue is still around after 9 months and there is little information without considerable digging to know what to do about it. If we accept the warning how do we know the resulting weakness cannot be exploited by unscrupulous virus authors (by for example re-engineering the changes you have made?).
Photo of Jake

Jake, Employee

  • 140 Posts
  • 11 Reply Likes
Hey Charles, 
I apologize that there is not a more elegant way to accomplish what we do with the hostsfile.

Unfortunately, Microsoft Security Essentials and Windows Defender only detect that there is something trying to change the hostsfile, not what is changing it or why. If it mentioned Covenant Eyes, this discussion would be much shorter. Regardless, if you allow us to change the hostsfile, you will only see the notification once, either during installation or immediately afterward.

To clarify, the allowance we ask you to make is a one time allowance and it should never ask again. It does not leave the hostsfile open for any program to edit. If another program does attempt to change the hostsfile, you will get another warning.

Hopefully, this helps to alleviate your concerns.

Jake
Photo of Chris

Chris

  • 12 Posts
  • 1 Reply Like
There are also exceptions you can add to MSE for the future. Being a Beta tester this is pretty much required ;)
Just a note up front for those who aren't too familiar with the differences with 32 and 64bit editions of Windows 7. There are TWO Program Files folders on 64-bit systems, so C/E splits some things up between them. On 32-bit machines there is only one Program Files folder, so everything goes in there. So if you see a (x86) mentioned below, it is ONLY for 64-bit machines. Disregard any mention for 32-bit versions, as you don't have one.

Under the settings tab in MSE: on the left, "Excluded Files and Locations/"
(Manually add the following lines)
C:\Program Files\CE (for 32 bit systems AND 64 bit systems both)
C:\Program Files (x86)\CE   (add for 64 bit systems only)

Then change down on the left two lines to "Excluded processes"
(Manually add the following lines)
CovenantEyes.exe                  {in (x86)}
CovenantEyescommservice.exe    {in (x86)}
CovenantEyesHelper.exe        {in (x86)}
CovenantEyesProxy.exe     {in both???}

Someone from Tech Support please correct me on which exe is excepted and where, as I have the last ONE, CovenantEyesProxy.exe in BOTH plain and (x86) program files folders, so I'm unsure which I actually "browsed" out to to originally install the exception.

So far, with these installed, I've had no issues anymore with anything erroring when an update came along. MSE excepts only programs and folders NAMED here. So unless that malware author corrupts an actual C/E file that resides in a C/E folder, the likelihood of a direct attack I feel is very slim.
Photo of Jake

Jake, Employee

  • 140 Posts
  • 11 Reply Likes
Hey Chris, 
You nailed the exclusions. I am Customer Support, can confirm. Our newest beta (5.2.87) changes things up a bit and only puts things in the plain Program Files folder regardless if you are running Windows 32 bit or 64 bit. 

To be concise, I am listing the file paths below which can be copied and pasted directly into MSE and Defender (Defender for Windows 8 and 8.1 is basically MSE).

C:\Program Files\CE\CovenantEyes.exe
C:\Program Files\CE\CovenantEyesHelper.exe
C:\Program Files\CE\CovenantEyesCommService.exe
C:\Program Files\CE\CovenantEyesProxy.exe

Jake